Hashing exploit threatens digital security

Celeste Biever in New Scientist:

Cryptographers have found a way to snip a digital signature from one document and attach it to a fraudulent document without invalidating the signature and giving the fraud away.

The development means that attackers could potentially forge legal documents, load certified software with bogus code, or turn a digitally-signed letter of recommendation into one that authorises access to private information.

Digital signatures are used to authenticate website connections, emails and legal documents in some countries. They work because they are unique to the file or software that is signed, as they are created from the contents of the signed file. Therefore, if someone tries to cut a digital signature from one document and stick it to another, the signature fails because it no longer matches the document.

More here.